AD GPO push msi

Make a share drive with at least “Domain Computers” permission


Create new OU and move AD computers to this OU

Create GPO in this OU, and select msi files in FQDN share drive

(Computer Configurateion not User Configuration)

Ignore language

separate x86 & x64 msi, so we unclick “Make this 32-bit ….”

Flash Player(New & Archive)



  1. 推送完畢, 己經安裝左後, 經人手刪除軟件會否重新推送? 不會
  2. 設定GPO推送軟件前, 該電腦己經安裝了此軟件, 會如何處理? 照推送, 照安裝. (以7zip為例, 電腦1己安裝7zip 9.20, 電腦2己安裝7zip 18.06, 推送7zip 16.04, 電腦1升級至16.04, 電腦2保留18.06, 但新增移除會看到16.04, 軟件還是18.06. 其後手動由18.06安裝16.04相同結果, 所以推論GPO推送不會理會己安裝的版本, 結果會和手動安裝一樣)
  3. 在GPO刪除被推送的軟件, 在用戶端會自動刪除嗎? click “Uninstall the application when it falls out of the scope of management”
  4. 使用時間久了, 升級過很多版本, 可以刪除舊的嗎? 如果click了第3點, 就算只刪除較舊的其中一個, 所有用戶都會刪除了這個軟件, 建議是刪除全部, 再重新增加最新的版本.
  5. 軟件A ver1可以裝xp,win7,10, 軟件A ver2只可以裝win7,10, xp會點裝?
  6. categories用途

Windows 2008 R2 + Exchange 2010

ServerManagerCmd -ip D:\Scripts\Exchange-Typical.xml -Restart
Set-Service NetTcpPortSharing -StartupType Automatic

get-user -filter “department” -eq ‘sales'”
get-user -filter “department” -like ‘sales*'”
get-mailbox administrator | fl name,emailaddresses

Set on behalf of and send as permission:
set-mailbox boss -grantsendonbehalfto assistant
add-adpermission boss -extendedrights send-as -user assistant
restart-server msexchangeis

Show the user forwarding status:
get-mailbox Username | fl name,forwardingaddress,delivertomailboxandforward,recipientlimits

Show each user send receive limit:
get-mailbox | ft name,maxsendsize,maxreceivesize

Global message size limit:
get-transportconfig | fl max*size,maxrecipientenvelopelimit

Add retention deleted items:
new-retentionpolicytag “tag-deleteditems” -type “deleteditems” -comment “deleted items are purged in 60 days” -retentionenabled $true -agelimitforretention 60 -retentionaction permanentlydelete

Add retention default policy:
new-retentionpolicytag “tag-default” -type all -comment “items without a retention tag are deleted in 1 year.” -retentionenabled $true -agelimitforretention 365 -retentionaction movetodeleteditems -isprimary $true

Add retention business policy:
new-retentionpolicytag “tag-businesscritical” -type personal -comment “business critical messages are moved to the archive in 3 years.” -retentionenabled $true -agelimitforretention 1095 -retentionaction movetoarchive

Add retention group:
new-retentionpolicy “RP1” -retentionpolicytaglinks “tag-deleteditems”,”tag-businesscritical”,”tag-default”

Apply to user:
set-mailbox username -retentionpolicy RP1 -confirm:$false

restart-server msexchangeis

Remove retention:
set-mailbox username -retentionpolicy $null
remove-retentionpolicy RP1
get-retentionpolicytag | remove-retentionpolicytag

Grant fullright access from user1 to user2:
add-mailboxpermission user1 -accessrights fullaccess -user user2

Display all edb path
get-mailboxdatabase | fl name,edbfilepath

Show state(Clean or Drily):
eseutil /mh

Repair with transaction log:
eseutil /r E05

eseutil /p

eseutil /g

eseutil /k

eseutil /ms

eseutil /d

AD 2003增加AD 2012 R2後的錯誤

The DNS server was unable to create a resource record for  fdb0ca48-99c5-4047-aaff-b3396816f239._msdcs.xx.xx. in zone xx.xx. The Active Directory definition of this resource record is corrupt or contains an invalid DNS name. The event data contains the error.


請先備份所有AD, 在Windows 2012 R2使用ADSI Edit->Connect to->DC=ForestDNSZones,DC=xx,DC=xx



Starting test: NetLogons
[xxx] User credentials does not have permission to perform this operation.
The account used for this test must have network logon privileges for this machine’s domain.
……………………. xxx failed test NetLogons


Starting test: KccEvent
A warning event occurred.  EventID: 0x80000603
Time Generated: 03/29/2015   23:22:08
Event String:
Active Directory Domain Services could not disable the software-based disk write cache on the following hard disk.

Starting test: SystemLog
A warning event occurred.  EventID: 0x80040020
Time Generated: 03/29/2015   23:22:08
Event String:
The driver detected that the device \Device\Harddisk0\DR0 has its write cache enabled. Data corruption may occur.

我的AD是在Hyper-v上運行, 提醒如果Enabled write cache(Device Management裏的硬碟) , 如果斷電有可能會有Data lost, 好像沒有解決方法, 情怳應該和Raid的Write cache相似, 但Hardware Raid有電保護, 這個沒有, 亦不能Disable


Starting test: FrsEvent
There are warning or error events within the last 24 hours after the SYSVOL has been shared. Failing SYSVOL replication problems may cause Group Policy problems.


The server holding the PDC role is down

AD Forest由2000升級2003後兩台Controller發生以下錯誤

dcdiag /test:FSMOcheck

Warning: DsGetDcName(TIME_SERVER) call failed, error 1355
A Time Server could not be located.
The server holding the PDC role is down.
Warning: DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed, error 1355.
A Good Time Server could not be located.

然後發現兩台Controller的Windows Time service都突然不能啟動, “系統找不到指定的檔案”



w32tm /unregister
w32tm /register

有時見過有些Workstation在Service不見了Windows Time, 都可以使用w32tm /register